Ended up doing the same thing with a validating webhook using OPA On Mon, Nov 18, 2019, 4:13 AM Alan Christie < achris...@informaticsmatters.com> wrote:
> Thanks, > > I was wondering whether I could create an arbitrary storage class so (if > the application can be adjusted to name that class) this might well be a > solution. I’ll poke around today, thanks. > > > Alan Christie > achris...@informaticsmatters.com > > > > On 18 Nov 2019, at 12:08 pm, Frederic Giloux <fgil...@redhat.com> wrote: > > Hi Alan > > you can use a storage class for the purpose [1] and pair it with quotas > for the defined storage class [2] as proposed by Samuel. > > [1] > https://docs.okd.io/3.11/install_config/storage_examples/storage_classes_legacy.html#install-config-storage-examples-storage-classes-legacy > [2] > https://docs.okd.io/3.11/dev_guide/compute_resources.html#dev-managed-by-quota > > Regards, > > Frédéric > > On Mon, Nov 18, 2019 at 12:38 PM Samuel Martín Moro <faus...@gmail.com> > wrote: > >> Not that I know of. >> The claimRef is not meant to be changed manually. Once set, PV should >> have been bound already, you won't be able to only set a namespace. >> >> Have you considered using ResourceQuotas? >> >> To deny users in a Project from requesting persistent storage, you could >> use the following: >> >> apiVersion: v1 >> kind: ResourceQuota >> metadata: >> name: no-pv >> namespace: project-with-no-persistent-volumes >> spec: >> hard: >> persistentvolumeclaims: 0 >> >> >> On Mon, Nov 18, 2019 at 12:00 PM Alan Christie < >> achris...@informaticsmatters.com> wrote: >> >>> On the topic of volume claim pre-binding … >>> >>> Is there a pattern for creating volumes that can only be bound to a PVC >>> from a known namespace, specifically when the PVC name may not be known in >>> advance? >>> >>> In my specific case I don’t have control over the application's PVC name >>> but I do know its namespace. I need to prevent the pre-allocated volume >>> from being bound to a claim from a namespace other than the one the >>> application’s in. >>> >>> The `PersistentVolume` spec contains a `claimRef` section but I suspect >>> that you can’t just fill-out the `namespace`, you need to provide both the >>> `name` and `namespace` (because although the former doesn’t generate an >>> error it doesn’t work). >>> >>> Any suggestions? >>> >>> Alan Christie >>> achris...@informaticsmatters.com >>> >>> >>> >>> >>> _______________________________________________ >>> users mailing list >>> users@lists.openshift.redhat.com >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >> >> >> -- >> Samuel Martín Moro >> {EPITECH.} 2011 >> >> "Nobody wants to say how this works. >> Maybe nobody knows ..." >> Xorg.conf(5) >> _______________________________________________ >> users mailing list >> users@lists.openshift.redhat.com >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> > > > -- > *Frédéric Giloux* > Senior Technical Account Manager > Red Hat Germany > > fgil...@redhat.com M: +49-174-172-4661 > > redhat.com | TRIED. TESTED. TRUSTED. | redhat.com/trusted > ________________________________________________________________________ > Red Hat GmbH, http://www.de.redhat.com/, Sitz: Grasbrunn, > Handelsregister: Amtsgericht München, HRB 153243, > Geschäftsführer: Charles Cachera, Michael O'Neill, Tom Savage, Eric Shander > > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
